Four Burning Questions on GDPR

Tackling Four Burning Questions on GDPR and the Rise of Email-based Cybercrime

The deadline for compliance with the European Union General Data Protection Regulation (GDPR) is approaching fast. In our recent webinar GDPR and the Rise of Email-Based Cybercrime, our special guest, Forrester Research Analyst Enza Iannopollo, addressed several burning questions on the critical role email security and management plays in an effective GDPR strategy.

1. My company’s HQ is in the US, and we have no sites in EU countries. Tell me why I should be concerned about the EU General Data Protection Regulation (GDPR).

All firms that offer any products or services to the EU market, or collect data of EU customers to profile them, fall within the scope of the GDPR. Therefore, regardless of the location of your HQ, ask yourself whether your organization engages in any of the above activities. If the answer is yes, then you must comply with the rules.

2. How does email factor into an organization’s GDPR risk management strategy?

Organizations run on emails — internally to enable communication among employees, but also externally to allow firms to communicate with their customers and business partners. We share countless pieces of personal data and sensitive information every day over emails. It’s enough to send that data to an unauthorized recipient, intentionally or by mistake — it makes no difference — to be in breach of privacy rules.

Emails also remain one of the preferred vectors of attack to steal data from organizations. Malicious attachments or URLs contained in apparently innocuous emails, or email fraud perpetrated with attacks such as whaling and business email compromise, are just a few examples.

Under GDPR, all firms must take appropriate organizational and technical measures to protect the personal data of their customers, employees, and business partners. Making sure that emails are secure is a crucial part of any business’ risk management strategy.

3. Our email is part of a cloud productivity suite. If a breach should happen, does this arrangement let my company avoid exposure to financial penalties?

GDPR introduces joint responsibility of data processors — such as service providers — and data controllers in case of privacy breaches. According to the new rule, data processors, jointly with data controllers, might be liable for breaking the law and must notify regulators, their customers, and directly to end users about in the event of any data breaches. They will also need to pay all fines and compensate customers for the material and/or nonmaterial damage created by the attack.

But this doesn’t mean that the data controller — your company, in this case — is not exposed to financial penalties. In fact, GDPR requires data controllers to perform continuous audits and monitoring of their data processors and make sure that their privacy practices are compliant with GDPR. Controllers and processors that are involved in the same processing and are responsible for any damage caused, each shall be held liable for the entire damage.

4. What best practices do you recommend for managing GDPR compliance for email?

Securing emails remains a must for every company. GDPR requires that firms put in place necessary measures to mitigate risks to the personal data that private and public organizations handle. In case a breach occurs, but also when regulators demand evidence of your compliance strategy, organizations that deploy — and document their deployments of — effective measures to secure their assets, including emails, will be better off.

Additionally, we have to consider that GDPR creates mechanisms through which individuals can exercise their rights over their personal data, such as the right to access data, the right to data portability, and the right to be forgotten, for example.